Hi Ricardo, in this case it's probable that the Windows agent is dropping UDP packages from the manager due to overflow. The default UDP buffer size in Linux is 212992 (208 KiB) but I think that in Windows it is only 8 KiB. OSSEC resizes the buffer to 6 KiB (the maximum message length) when the default size is less than 6 KiB.
File ar.conf comes in the merged.mg. Try to send a very little shared file (remove every file in the manager's /var/ossec/etc/shared except ar.conf), restart the manager and then restart the agent. You may also try to increase the network buffer size in Windows. This may help you: http://smallvoid.com/article/winnt-winsock-buffer.html. Best regards. On Fri, Jul 7, 2017 at 10:08 AM, Ricardo Galossi <[email protected]> wrote: > Hi Victor, > > Thanks for your reply. I did everything you told me, but the error > persist. I continuous receiving many logs as below: > > ossec-agentd: Failed md5 for: shared/merged.mg -- deleting. > > A new thing that I realized is that the file ar.conf is not present in > windows agent installation directory too, I tried to restart the agent > remotely and saw it. After I enable debug on the windows agent I was able > to see this log: > > ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows Server 2012 > Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.0 / > e204e0200d4f36c5c80b071e2e1ef79b > x merged.mg > > The point is, this checksum is not the same of agent.conf or merged.mg on > ossec server. I kinda gave up about this and tried to do everything > manually, I created agent.conf in blank within C:\Program Files > (x86)\ossec-agent\shared directory and restart the agent, in the log file > the error (ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File > 'shared/agent.conf' not found) isn't being shown anymore, but the > agent.conf doesn't synchronize, it remains in blank. > > I don't know what to do anymore, reinstalled the agent and the server, > tried in different windows installations and tried with ossec 2.8.3, but > the problem remains. The funny point is that it only happens on Windows > agents, on Linux agents everything works perfectly. > > If I copy the content of agent.conf from the server to the windows agent, > everything works. But I don't know if it can bring me some problem in the > future. > > Em segunda-feira, 3 de julho de 2017 11:39:52 UTC-3, Victor Fernandez > escreveu: >> >> Hi, >> >> it is strange that the log indicates line 147 when it was not able to >> read it. Maybe the agent.conf file is not arriving to the agent or it is >> being discarded due to a checksum error. >> >> First, please remove file *merged.mg <http://merged.mg>* from folder >> *shared* in the agent and the manager. Then enable debugging log in >> order to know where the problem is. >> >> - On the manager: >> >> /var/ossec/bin/ossec-control enable debug >> /var/ossec/bin/ossec-control restart >> >> >> >> - On the agent, add this line to file *local_internal_options.conf*: >> >> windows.debug=1 >> >> >> and restart the agent. When it gets connected, the manager should log a >> message like: >> >> ossec-remoted: Sending file 'merged.mg' to agent. >> >> >> and that file should appear immediately in the agent (folder *shared*). >> After few seconds, when the file is completely delivered, it should be >> unmerged into every file that exists in the manager's shared folder. >> >> A common issue is that the file doesn't arrive properly (e.g. some >> packets were lost or corrupted) the file *merged.mg <http://merged.mg>* will >> disappear suddenly and the Windows agent should log: >> >> ossec-agent: Failed md5 for: merged.mg -- deleting. >> >> >> In this case, the manager will retry to send the file every 10 minutes. >> >> But as I mentioned before, an error message about reading file that >> indicates a line different from 0 has no sense. However I hope this help >> you. >> >> Best regards. >> >> >> >> On Mon, Jul 3, 2017 at 11:44 AM, Jesus Linares <[email protected]> wrote: >> >>> Hi >>> >>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>> >>> >>> what is in the line 147?. >>> >>> More information about the agent.conf and the process to synchronize it: >>> https://documentation.wazuh.com/current/user-manual/referenc >>> e/centralized-configuration.html >>> >>> I hope it helps. >>> Regards. >>> >>> On Sunday, July 2, 2017 at 3:30:07 AM UTC+2, Ricardo Galossi wrote: >>>> >>>> Hi guys, >>>> >>>> I'd like to ask for some help here.. >>>> >>>> My windows agents are not synchronizing shared/agent.conf, >>>> within C:\Program Files (x86)\ossec-agent\shared direrectory there is no >>>> agent.conf even after restarting windows agent. Follow my agent.cong below: >>>> >>>> <agent_config> >>>> <syscheck> >>>> <directories realtime="yes" check_all="yes">C:\labtest</di >>>> rectories> >>>> </syscheck> >>>> </agent_config> >>>> >>>> In the agent log file I receive the following message: >>>> >>>> ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': >>>> XMLERR: File 'shared/agent.conf' not found. (line 147). >>>> >>>> If I create the file agent.conf manually the configuration works (what >>>> proof that the configuration is ok), but also doesn't synchronize if i try >>>> to change it. >>>> >>>> Am I making some mistake? Please, help me!! >>>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Victor M. Fernandez-Castro >> IT Security Engineer >> Wazuh Inc. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Victor M. Fernandez-Castro IT Security Engineer Wazuh Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
